Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01

[Justin Richer <jricher@mitre.org>]

On 08/10/2012 12:48 PM, Dick Hardt wrote:
> On Aug 10, 2012, at 9:28 AM, Justin Richer wrote:
>
>> On 08/09/2012 06:47 PM, Dick Hardt wrote:
>>>
>>> On Aug 9, 2012, at 1:08 PM, Justin Richer wrote:
>>>
>>>> With MAC, you should be able to re-use about 80-90% of your 
>>>> existing codepath that's in place for Bearer, simplifying the setup 
>>>> below.
>>>
>>> That makes no sense, I would be adding MAC to the sites that support 
>>> MAC in addition to OAuth 1.0A or OAuth 2.0
>>
>> You get to re-use all of the code for OAuth2 for issuing tokens (from 
>> server side) and requesting tokens (from client side). Apart from 
>> parsing the JSON value that's returned from the token endpoint (and 
>> you are using a generic parser there, right?), nothing changes here. 
>> The part where you *use* the token to access a protected resource 
>> (client), or *validate* a request to a protected resource (server) 
>> changes significantly, yes. But that's only a small part of the process.
>
> That makes sense, sorry I was not clear on what I said did not make 
> sense, which was "simplifying the setup below"
>
> As a client developer, adding MAC to the mix *increases* my code base 
> as it is yet another protocol to understand and implement against. 
> OAuth 1.0A and OAuth 2.0 bearer are not going to go away.
>
>
OK, I follow now. Yes, that's a fair concern for anyone who has to 
support multiple protocols that aren't mutually compatible. I'm 
personally hoping that OAuth2/MAC will help push out most (if not all) 
of the remaining OAuth1 pieces we have here, helping is shut down at 
least one of those.

  -- Justin